GDPR Compliance in the Middle East: The ChallengesEducating Companies About the Tougher Requirements
The many companies in the Middle East that do business in Europe - and handle European's data - now must comply with the European Union's new General Data Protection Regulation. And some security experts say that could lead to a boost in data security practices in the region.
GDPR is already in effect, but it won't be enforced until May 25, 2018. Before then, any organization with European customers must ensure that they comply with various new measures mandated by the EU law, which include mandatory data breach notifications and stronger privacy protections for consumers as well as stringent data security requirements. GDPR also gives privacy regulators stronger enforcement powers. Any organization that violates the rules could face fines of up to 4 percent of their global annual revenue or € 20 million ($21.2 million) - whichever is greater.
Qatar-based Samir Pawaskar, a security practitioner heading cybersecurity policy and standards teams, predicts the EU regulation will lead more Middle Eastern companies to implement the right governance, processes and security controls.
"The regulation would entail companies to probably re-engineer their processes and information systems to ensure compliance with GDPR unless they have an adequate privacy assessment and compliance processes in place," Pawaskar says.
Understanding the Policy Nuances
Many Middle Eastern countries already have implemented their own data protection regulations. For instance, Qatar issued a Data Privacy and Protection Law in 2016, which is closely aligned with GDPR.
But in some cases, complying with local regulations as well as GDPR could prove challenging if the requirements differ, says Ahmed Qurram Baig, president of CISO Council.
Middle Eastern countries' privacy and breach notification regulations, in general, are less strict and detailed than GDPR.
Increasing Threats Demand Breach Disclosure
The Middle East region is increasingly the target of cyberattacks, which is making improving data security more urgent. For example, in its latest "Review of the Year," Kaspersky Lab revealed the UAE was the target of at least three massive cyberattacks in 2016. And CERT-ae reports that region has been victimized by malware attacks, phishing and social engineering.
In fact, GDPR could serve as a catalyst for nations in the region to enforce stronger privacy protections and breach disclosure requirements, some security experts say.
"Middle East government and enterprises such as Qatar's Financial trade centre are establishing directives which mandate enterprises to share details of information security breaches to a centralized authority, which can then be shared with other enterprises to ensure that they have established controls to mitigate them, and that the breach is contained," says Bahrain-based Dr. Jassim Haji, director, information technology for Gulf Air. "However, it is not mandatory to disclose a breach at this point in time." So GDPR could lead more companies to more promptly disclose breaches, he says.
Key Compliance Challenges
In preparing for GDPR compliance, companies and the region face several key challenges, Baig says. Those include:
- Demonstrating their ability to manage and protect personal data;
- Increasing investment in data protection;
- Devising ways to report breach incidents within the required 72 hours;
- Determining who will take the lead role in data protection and privacy, whether that's executive management, the board the CISO or a data protection officer.
Security experts in the region say there's a lack of awareness among many companies about the tougher requirements of GDPR - and who must comply.
Haji says that security leaders should start awareness campaigns among the IT team and those in other departments to ensure that everyone knows their responsibilities.
"It is key to take a collaborative approach to work closely with the peers in the industry and enhance incident response mechanism on the lines recommended by CERT," he stresses.
To help prepare for GDPR compliance, Baig recommends organizations in the region adopt security controls, such as encryption and access restriction, along with ongoing monitoring of data access. Also essential, he says, is conducting a privacy impact assessment identifying and assessing privacy risks.